PT-2019-2966 · Gnu+8 · Gnupg+8

Published

2019-06-29

·

Updated

2022-05-30

·

CVE-2019-13050

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions SKS keyserver network versions through 1.2.0 GnuPG versions through 2.2.16
Description The issue is related to the interaction between the SKS keyserver code and GnuPG, which makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. This can cause a persistent denial of service due to a Certificate Spamming Attack. The vulnerability is also associated with the lack of verification of host certificate data, allowing a remote attacker to cause a denial of service.
Recommendations For SKS keyserver network versions through 1.2.0, consider disabling the keyserver configuration line referring to a host on the SKS keyserver network until a patch is available. For GnuPG versions through 2.2.16, avoid using the keyring that automatically fetched a poisoned key and follow the guide to fix the gpg client and prevent this issue in the future. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

DoS

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-295CWE-297

Related Identifiers

ALSA-2020:4490
ALT-PU-2019-2236
ALT-PU-2020-1688
BDU:2019-02942
CESA-2020_4490
CVE-2019-13050
OPENSUSE-SU-2019:1917-1
OPENSUSE-SU-2019_1917-1
RHSA-2020:4490
RHSA-2020_4490
RLSA-2020:4490
SUSE-SU-2019:2006-1
SUSE-SU-2019:2480-1
SUSE-SU-2019_2480-1
USN-5431-1

Affected Products

Alt Linux
Almalinux
Centos
Gnupg
Red Hat
Rocky Linux
Sks Keyserver Network
Suse
Ubuntu